introduction to fido alliance

INTRODUCTION TO FIDO ALLIANCEFIDO Seminar, New York City, 31 March 2016

Brett McDowell, Executive Director

[email protected]

All Rights Reserved. FIDO Alliance. Copyright 2016.

mailto:[email protected]

The Problem

The Solution

The Alliance

The Market

781 data breaches in 2015

Data Breaches…

170 million records in 2015 (up 50%)

$3.8 million cost/breach (up 23% f/2013)

“A look through the details of these

incidents shows a common sequence of

phish customer ≥

get credentials ≥

abuse web application ≥

empty bank/bitcoin account.”

2015 Data Breach Investigations Report

The world has a PASSWORD PROBLEM

5Confidential

ONE-TIME PASSCODESImprove security but aren’t easy enough to use

Still Phishable

User Confusion

TokenNecklace

SMS Reliability

6Confidential

WE NEED A

NEW MODEL

WE CALL OURNEW MODEL

Fast IDentity Onlineonline authentication using

public key cryptography

The Problem

The Solution

The Alliance

The Market

THE OLDPARADIGM

USABILITYSECURITY

THE FIDO PARADIGM

Poor Easy

Weak

Str

ong

USABILITY

SEC

UR

ITY

HOW OLD AUTHN WORKS

ONLINE

The user authenticates themselves online by presenting a human-readable “shared secret”

HOW FIDO AUTHN WORKS

AUTHENTICATOR

LOCAL ONLINE

The user authenticates “locally” to their device

(by various means)

The device authenticates the user online using

public key cryptography

Passwordless Experience (UAF Standards)

Second Factor Experience (U2F Standards)

*There are other types of authenticators

Second Factor Challenge

1

Authenticated

Online

3

Insert Dongle* / Press Button

2

Biometric Verification*

2

Authentication Challenge

1

?

Authenticated

Online

3

OPEN STANDARDS R.O.I.FIDO-ENABLE ONCE

GAIN EVERY DEVICE YOU TRUSTNO MORE ONE-OFF INTEGRATIONS

USABILITY, SECURITY, R.O.I. and

PRIVACY

No 3rd Party in the Protocol

No Secrets on the Server Side

Biometric Data (if used) Never Leaves Device

No Link-ability Between Services

No Link-ability Between Accounts

Better security for online services

Reduced cost for the enterprise

Simpler and safer for consumers

The Problem

The Solution

The Alliance

The Market

The FIDO Alliance is an open

industry association of over 250

global member organizations

Physical-to-digital identity

User Management

Authentication

Federation

Single

Sign-On

Passwords Risk-BasedStrong

MODERN

AUTHENTICATION

FIDO SCOPE

FIDO Alliance Mission

DevelopSpecifications

OperateAdoption Programs

Pursue Formal Standardization

1 2 3

Board Members

23 23 23

Alliance Working Groups

Standards & Technology

1. FIDO UAF

2. FIDO U2F

3. FIDO 2.0

4. Certification

Market Adoption

5. Marketing

6. Privacy & Public Policy

7. Deployment-at-Scale

8. FIDO China

https://fidoalliance.org/working-groups

https://fidoalliance.org/working-groups

25

Industry Partners

Our mission is highly complementary to many other associations around the world.

25

FIDO DEVELOPMENT TIMELINE

FIDO 1.0 FINALFirst

DeploymentsSpecificationReview Draft

FIDO Ready Program

AllianceAnnounced

FEB2013

6 Members

DEC2013

FEB2014

FEB-OCT2014

DEC 92014

MAY2015

TODAY>250

Members

MarketAdoption

JUNE2015

CertificationProgram

New U2FTransports

The Problem

The Solution

The Alliance

The Market

“PayPal and Samsung Enable Consumer

Payments with Fingerprint

Authentication on New Samsung

Galaxy S5”

Feb 24, 2014

“Secure Consumer Payments Enabled for

Alipay Customers with Easy-to-Use

Fingerprint Sensors on Recently-Launched

Samsung Galaxy S5”

September 17, 2014

“Google Launches Security Key,

World’s First Deployment of Fast

Identity Online Universal Second

Factor (FIDO U2F) Authentication”

October 21, 2014

2014 FIDO ADOPTION

“Microsoft Announces FIDO

Support Coming to Windows 10”

Feb 23, 2015

“Qualcomm launches

Snapdragon fingerprint

scanning technology”

March 2, 2015

“Google for Work announced

Enterprise admin support for

FIDO® U2F ‘Security Key’”

April 21, 2015

“Largest mobile network in

Japan becomes first wireless

carrier to enhance customer

experience with natural,

simple and strong ways to

authenticate to DOCOMO’s

services using FIDO

standards.”

May 26, 2015

2015 FIDO ADOPTION“Today, we’re adding Universal 2nd Factor (U2F) security

keys as an additional method for two-step verification,

giving you stronger authentication protection.”

August 12, 2015

“[T]he technology

supporting fingerprint

sign-in was built

according to FIDO

(Fast IDentity Online)

standards.”

September 15, 2015

“GitHub says it

will now handle

what is called

the FIDO

Universal 2nd

Factor, or U2F,

specification.”

October 1, 2015

“NTT DOCOMO is now

offering FIDO-enabled

biometric authentication for

customers using Apple iOS

devices”

Mar 7, 2016

2016 FIDO ADOPTION“FIDO Universal 2nd Factor (U2F) authentication is now

being used to allow all UK citizens to easily and securely

access GOV.UK Verify digital public services.

Mar 23, 2016

“BC Card provides Token

and FIDO services to

strengthen security and

safety of Samsung Pay”

March 1, 2016

“KEB Hana’s new solution

is notably FIDO Certified.”

February 3, 2016

Deployments are enabled by

FIDO® Certified productsavailable today

Leading OEMs Now Shipping FIDO Certified Devices

Tab S, Tab S2 S5, Mini Note 4, 5 Alpha Note Edge S6, S6 Edge

Sharp Aquos Zeta Sony Experia Z5 Fujitsu Arrows

(Iris Biometrics)

Samsung

LG V10 & G5

Available to anyone

Ensures interoperability

Promotes the FIDO

ecosystem

Steps to certification:1. Conformance Self-Validation

2. Interoperability Testing

3. Certification Request

4. Trademark License (optional)

fidoalliance.org/certification

http://www.fidoalliance.org/certification

JOIN THE FIDO ECOSYSTEM

JOIN THE FIDO ALLIANCE